Ivanti have developed an integration for IDAC and Splunk to provide details of block, shadowing, admin audit and agent check-in activity.
This Technology Add-On (TA) provides the props.conf properties required to parse both json and Windows event log-based inputs to use with the corresponding IDAC Splunk app.
An accompanying app - the Ivanti IDAC App for Splunk (https://splunkbase.splunk.com/app/5533/) provides dashboards that visualise the retrieved data .
The add-on was developed and tested against IDAC 5.3, but should support ingestion of logs from any version of IDAC that supports SIEM logging using adc_alp_[32|64].dll
For ingestion of IDAC event data, install the TA where Splunk will first parse incoming data - heavy forwarders, or indexers if logs are being sent directly from a Splunk Universal Forwarder.
Install the Ivanti IDAC App for Splunk on search heads for dashboards and CIM-compliant field aliases.
To enable SIEM logging on the IDAC server, follow Ivanti's documented instructions (https://forums.ivanti.com/s/article/Syslog-and-Windows-Event-Log-redirection-to-a-3rd-party-SIEM?language=en_US) - or the abridged version that follows.
Take the architecture-specific DLL (adc_alp_32.dll or adc_alp_64.dll) from one of the following two locations in the product installation folders, depending on whether you want to log to a flat file (json) or Windows event log ('wel'):
Copy the relevant DLL to the location where IDAC's service (sxs.exe) is running, for example: c:\windows\syswow64. If using json logging, create a configuration file (example below) and restart the service.
Example configuration file - named adc_alp_<architecture>.config and located in the same folder as adc_alp_[architecture].dll:
{
"folder": "c:\\IDAC_logs",
"filename":
{
"prefix": "IDAC_Log_",
"extension": "json"
}
}
As per Ivanti's documented guidance, 'There is no cleaning done by the DLL, the consumer will need to take care of deleting the files when processed'.
To ingest logs, deploy an inputs.conf to an IDAC server with monitor stanzas for either the Application event log or the file path if using json-based logging. Example (disabled) inputs.conf entries are provided in the TA's /defaults folder, and shown (enabled) below:
[monitor://C:\idac_logs\*.json]
disabled = 0
index = idac
sourcetype = ivanti:idac:json
[WinEventLog://Application]
renderXml = 1
disabled = 0
start_from = oldest
current_only = 0
whitelist = SourceName="idac_siem_sxs"
sourcetype = ivanti:idac:wel
source=ivanti:idac:wel:application
index = idac
Notes: * Ensure that the target index is correct - if 'idac' doesn't exist, then create it or choose a different index. * If already ingesting the Application event log from the IDAC server, the use of transforms.conf may be required on a Heavy Forwarder or indexer to dynamically reassign the sourcetype to ivanti:idac:wel
For further guidance around ingestion refer to the Splunk 'Getting Data In' (https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain) or Cloud-focused GDI documentation (https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/IntroGDI).
_internal
index for values from the IDAC host, if nothing is appearing the IDAC target indexFor support, please raise a support call with Ivanti: https://www.ivanti.com.au/support/contact
Intalock (www.intalock.com.au)
v1.0.1
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.